Device and Method for Certifying Reliability of Public Key, and Program Therefor

ABSTRACT

Proving reliability of a second public key of a second key pair generated in association with a first key pair. A generator  210  calculates and stores x·H(n) which is proof data and ax·H(n), when the second public key ax·g 1  which is of the second key pair is generated (S 301 ). The generator  210  provides the calculated proof data to a receiving apparatus  220  (S 302 ) which has received the proof data, transmits a proof request to the proving apparatus  230  for requesting a proof that the second public key ax·g 1  is generated by an owner of the first public key a·g 1  (S 303 ). In response to the proof request, the proving apparatus  230  verifies the proof data by calculating a verification formula for the proof data (S 304 ). The proving apparatus  230  transmits the verification result as a response to the proof request from the receiving apparatus  220  (S 305 ).

TECHNICAL FIELD

An aspect of the present invention relates to an apparatus, method, andprogram for proving a reliability of a public key.

BACKGROUND

With the expansion of economic activity on the Internet, there is agrowing need to reliably identify the actors of such activity.

Digital certificates are often used to guarantee the reliability of datatransmitted over the Internet. A digital certificate certifies the ownerof the public key that corresponds to the secret key used to digitallysign the data being transmitted and is issued by a trusted certificationauthority. The recipient of the data confirms the validity of thedigital certificate and verifies the digital signature with a publickey.

SUMMARY Technical Problem

In the future, there will be an increase in the number of situations inwhich interactions over the Internet need to be reliable, which willlead to an increase in the demand for various forms of electroniccertification, depending on the application.

However, current certification authority-centric public key cryptographyschemes are not easy to deal with flexibly.

The present invention has been made in view of above problem, and itsfirst objective is to provide an apparatus, method and a program forgenerating a second key pair comprising a second secret key and a secondpublic key in association with a first key pair comprising a trustedfirst secret key and a first public key.

Also, a second objective of the present invention is to provide anapparatus, a method and a program for proving the authenticity of asecond public key comprising a second key pair generated in associationwith a first key pair.

Also, a third objective of the present invention is to provide anapparatus, method and a program for executing or verifying an electronicsignature using a second key pair generated in association with a firstkey pair.

Solution to the Problem

To achieve this objective, the first aspect of the present invention isa method of generating a second key pair comprising a second secret keyand a second public key in association with a first key pair comprisinga first secret key and a first public key, wherein a first secret key isa, a generator of a cyclic group G is g, a first public key is a·g, asecond secret key is ax and a second public key is ax·g, comprisingsteps of: determining an integer x, multiplying a first secret key a(where a is an integer) by the x to calculate and store a second secretkey ax, multiplying the first public key a·g by the x or multiplying thefirst secret key a by the x and the g to calculate and store the secondpublic key ax·g.

Also, the second aspect of the present invention is a method ofgenerating a second key pair comprising a second secret key and a secondpublic key in association with a first key pair comprising a firstsecret key and a first public key, wherein a first secret key is a, agenerator of a cyclic group G is g, a first public key is a·g, a secondsecret key is ax, and a second public key is ax·g, comprising steps of:determining an integer x, determining a second secret key ax (where axis an integer), multiplying the first public key a·g (where a is aninteger) by the x, multiplying the first secret key a by the x and theg, or multiplying the second secret key ax by the g, to calculate andstore the second public key ax·g.

Also, the third aspect of the present invention is the method accordingto the first or second aspect, wherein the generator of the cyclic groupG is a point of an elliptic curve.

Also, the fourth aspect of the present invention is the method accordingto the third aspect, wherein the signature scheme by the first key pairis Elliptic Curve DSA.

Also, the fifth aspect of the present invention is the method accordingto any one of the first to fourth aspects, further comprising the stepof transmitting the first public key a·g from a first apparatus thatcalculated the second public key ax·g to a second apparatus other thanthe first apparatus.

Also, the sixth aspect of the present invention is the method accordingto any one of the first to fifth aspects, further comprising the step oftransmitting the second public key ax·g from a first apparatus thatcalculated the second public key ax·g to a second apparatus other thanthe first apparatus.

Also, the seventh aspect of the present invention is the methodaccording to any one of the first to fifth aspects, further comprisingthe step of displaying the second public key ax·g on a display screen ofa first apparatus that generated the second public key ax·g.

Also, the eighth aspect of the present invention is the method accordingto any one of the first to seventh aspects, further comprising the stepof transmitting the second secret key ax to a second apparatus otherthan a first apparatus that generated the second public key ax·g.

Also, the ninth aspect of the present invention is the method accordingto any one of the first to seventh aspects, further comprising the stepof displaying the second secret key ax on a display screen of a firstapparatus that generated the second public key ax·g.

Also, the tenth aspect of the present invention is the method accordingto any one of the first to seventh aspects, wherein the second secretkey ax is stored in a storage medium other than a first apparatus thatgenerated the second secret key ax·g.

Also, the eleventh aspect of the present invention is the methodaccording to the first to tenth aspects, wherein the x is apseudo-random number.

Also, the twelfth aspect of the present invention is a program forcausing a computer to perform a method of generating a second key paircomprising a second secret key and a second public key in associationwith a first key pair comprising a first secret key and a first publickey, wherein a first secret key is a, a generator of a cyclic group G isg, a first public key is a·g, a second secret key is ax, and a secondpublic key is ax·g, the method comprising steps of: determining aninteger x, determining a second secret key ax (where ax is an integer),multiplying the first public key a·g (where a is an integer) by the x,multiplying the first secret key a by the x and the g or multiplying thesecond secret key ax by the g, to calculate and store the second publickey ax·g.

Also, the thirteenth aspect of the present invention is an apparatus forgenerating a second key pair comprising a second secret key and a secondpublic key in association with a first key pair comprising a firstsecret key and a first public key, wherein a first secret key is a, agenerator of a cyclic group G is g, a first public key is a·g, a secondsecret key is ax, and a second public key is ax·g, configured to:determine an integer x, determine a second secret key ax (where ax is aninteger), multiply the first public key a·g (where a is an integer) bythe x, multiply the first secret key a by the x and the g, or multiplythe second secret key ax by the g, to calculate and store the secondpublic key ax·g.

Also, the fourteenth aspect of the present invention is a method forproving a reliability of a second public key which is part of a secondkey pair generated in association with a first key pair comprising afirst secret key and a first public key, wherein a first secret key isa, a generator of a cyclic group G₁ is g₁, a first public key is a·g₁, asecond secret key is ax, a second public key is ax·g₁, and H(n₁, n₂, . .. n_(N)) (N is an integer greater than or equal to 1) is a hashfunction, comprising steps of: receiving a proof request for a proof ofa reliability of the second public key ax·g₁, calculating a verificationformula expressed in equation (1) to verify proof data including x·H(n₁,n₂, . . . n_(N)) and ax·H(n₁, n₂, . . . n_(N)) in response to the proofrequest, and transmitting a result of the verification as a response tothe proof request,

e(ax·g ₁ ,H)=e(a·g ₁ ,x·H)=e(g ₁ ,ax·H)  (1)

wherein G₂ is a cyclic group with g₂ as a generator, G_(T) is a cyclicgroup with g_(T) as a generator, and a bilinear map e can be definedfrom G₁×G₂ to G_(T), and wherein a hash function H(n₁, n₂, . . . n_(N))can be defined as a map from an arbitrary combination of first to Nthdata to the cyclic group G₂ in which n₁ is ax·g₁.

Also, the fifteenth aspect of the present invention is the methodaccording to the fourteenth aspect, wherein N is greater than or equalto 2 and n₂ is data representing an attribute given to the second keypair.

Also, the sixteenth aspect of the present invention is the methodaccording to the fourteenth or fifteenth aspect, wherein the proofrequest includes the second public key ax·g₁.

Also, the seventeenth aspect of the present invention is the methodaccording to the fourteenth or fifteenth aspect, wherein the proofrequest includes the proof data.

Also, the eighteenth aspect of the present invention is a program forcausing a computer to perform a method for proving a reliability of asecond public key which is part of a second key pair generated inassociation with a first key pair comprising a first secret key and afirst public key, wherein a first secret key is a, a generator of acyclic group G₁ is g₁, a first public key is a·g₁, a second secret keyis ax, a second public key is ax·g₁, and H(n₁, n₂, . . . n_(N)) (N is aninteger greater than or equal to 1) is a hash function, comprising stepsof: receiving a proof request for a proof of a reliability of the secondpublic key ax·g₁, calculating a verification formula represented byequation (1) to verify proof data including x·H(n₁, n₂, . . . n_(N)) andax·H(n₁, n₂, . . . n_(N)) in response to the proof request, andtransmitting a result of the verification as a response to the proofrequest,

e(ax·g ₁ ,H)=e(a·g ₁ ,x·H)=e(g ₁ ,ax·H)  (1)

wherein G₂ is a cyclic group with g₂ as a generator, G_(T) is a cyclicgroup with g_(T) as a generator, and a bilinear map e can be definedfrom G₁×G₂ to G_(T), and wherein a hash function H(n₁, n₂, . . . n_(N))can be defined as a map from an arbitrary combination of first to Nthdata to the cyclic group G₂ in which n₁ is ax·g₁.

Also, the nineteenth aspect of the present invention is an apparatus forproving a reliability of a second public key which is part of a secondkey pair generated in association with a first key pair comprising afirst secret key and a first public key, wherein a first secret key isa, a generator of the cyclic group G₁ is g₁, a first public key is a·g₁,a second secret key is ax, a second public key is ax·g₁, and H(n₁, n₂, .. . n_(N)) (N is an integer greater than or equal to 1) is a hashfunction, configured to: receive a proof request for a proof of thereliability of the second public key ax·g₁, calculate a verificationformula expressed in equation (1) to verify proof data including x·H(n₁,n₂, . . . n_(N)) and ax·H(n₁, n₂, . . . n_(N)) in response to the proofrequest, and transmit a result of the verification as a response to theproof request,

e(ax·g ₁ ,H)=e(a·g ₁ ,x·H)=e(g ₁ ,ax·H)  (1)

wherein G₂ is a cyclic group with g₂ as a generator, G_(T) is a cyclicgroup with g_(T) as a generator, and a bilinear map e can be definedfrom G₁×G₂ to G_(T), and wherein a hash function H(n₁, n₂, . . . n_(N))can be defined as a map from an arbitrary combination of first to Nthdata to the cyclic group G₂ in which n₁ is ax·g₁.

Also, the twentieth aspect of the present invention is a method forproving a reliability of a second identifier generated in associationwith a first identifier, wherein a first constant is a, a generator of acyclic group G₁ is g₁, a first identifier is a·g₁, a second constant isax, a second identifier is ax·g₁, and H(n₁, n₂, . . . n_(N)) (N is aninteger greater than or equal to 1) is a hash function, comprising stepsof: receiving a proof request for a proof of the reliability of thesecond identifier ax·g₁, calculating a verification formula expressed inequation (1) to verify proof data including x·H(n₁, n₂, . . . n_(N)) andax·H(n₁, n₂, . . . n_(N)) in response to the proof request, andtransmitting a result of the verification as a response to the proofrequest,

e(ax·g ₁ ,H)=e(a·g ₁ ,x·H)=e(g ₁ ,ax·H)  (1)

wherein G₂ is a cyclic group with g₂ as a generator, G_(T) is a cyclicgroup with g_(T) as a generator, and a bilinear map e can be definedfrom G₁×G₂ to G_(T), and wherein a hash function H(n₁, n₂, . . . n_(N))can be defined as a map from an arbitrary combination of first to Nthdata to the cyclic group G₂ in which n₁ is ax·g₁.

According to one aspect of the present invention, since a second keypair can be defined so that a second public key which is part of thesecond key pair generated in association with a first key pair can bemathematically proved as a child key of a first public key which is partof the first key pair, the generation of the second key pair that can beused for digital signature is made possible without the need for acertification authority.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a flowchart of a method of generating a second key pairfrom a first key pair according to the first embodiment of the presentinvention.

FIG. 2 shows a system for proving the reliability of a second public keywhich is part of a second key pair generated from a first key pairaccording to the second embodiment of the present invention.

FIG. 3 shows an example of a method flow for proving the reliability ofa second public key which is part of a second key pair generated from afirst key pair according to the second embodiment of the presentinvention.

DETAILED DESCRIPTION

Hereinafter, embodiments of the present invention will be described indetail with reference to the drawings.

First Embodiment

FIG. 1 shows a flowchart of a method for generating a second key pairfrom a first key pair according to the first embodiment of the presentinvention. The generation of a key pair can be performed on anyapparatus capable of performing the processes described below, which canbe a portable device such as a smartphone, tablet, etc., by way ofexample. It is not necessarily needed to be connected to a computernetwork, such as the Internet, during the generation of the second keypair.

On the apparatus, G₁ is defined as a cyclic group with g₁ as itsgenerator, G₂ is defined as a cyclic group with g₂ as its generator, andG_(T) is defined as a cyclic group with g_(T) as its generator. A map eis defined as a map from G₁×G₂ to G_(T), and a hash function H′(m) isdefined as a map from any data m to G₂. It is possible to compute themap e and the hash function H′(m) on the apparatus. In addition, the mape shall satisfy the bilinearity shown by the following equation, with aand b as arbitrary integers.

e(a·g ₁ ,b·g ₂)=g _(T) ^(ab)

The orders of the generators g₁ and g₂ should be prime, and therespective numbers of elements of the cyclic groups G1 and G2 generatedby respective generators are preferably greater than or equal to 32bytes, or 256 bits, as an example. Here, the operations in the cyclicgroups G1 and G2 are described additively; for example, the operation ofrepeatedly adding the generator g₁ a times is expressed as a·g₁ andreferred to as “multiplying a to a generator g₁”. Note thatmultiplication between the elements of a set of integers, such as ax, isalso used herein as a notation, but it is different from multiplicationin a cyclic additive group. Although the cyclic groups G1 and G2 aredescribed herein as additive groups, we remind you that they areequivalent to the present invention and are within the technical scopeof the present invention even if they are described as cyclicmultiplicative groups.

First, read the pre-generated first secret key a and the first publickey a·g₁ as the first key pair (S101). Here, a is an integer, preferablydetermined as a random number, for example. Next, determine an integer x(S102). Here, the integer x can be determined, for example, as a randomnumber or a pseudo-random number, preferably other than 1. As anexample, we can define i as an integer and a pseudo-random number x as ahash value with a+i as the argument. In this way, the ith determined xcan be calculated as appropriate without having to store the ithdetermined x. Then, as the second key pair, the second secret key ax andthe second public key ax·g₁ are calculated and stored by multiplying x(S103).

The owner of the public key a·g₁ can be assumed in this embodiment to becertified by a digital certificate issued by a conventional trustedcertification authority. Alternatively, it can be assumed to be providedreliability by some form other than certification by a certificationauthority.

If the first key pair is used to perform a digital signature onarbitrary data m, if a·H′(m) is the signature s, then using thedisclosed generator g₁ and the first public key a·g₁, the recipient ofthe data m and the signature s can compute the following equation, andthe signature s can be verified by matching the left and right sides,which shows that the first key pair defined as described above can beused as a cryptographic scheme.

e(a·g ₁ ,H′(m))=e(g ₁ ,a·H′(m))=e(g ₁ ,s)

Similarly, the second key pair can be shown to be a valid cryptographicscheme. But unless it is provable that the second public key, ax·g₁, wasgenerated by the owner of the first public key, a·g₁, to whichreliability has been provided, the signature by the second key paircannot be any more reliable than that it was signed by the second secretkey, ax. This point will be discussed in the second embodiment.

As a cryptographic scheme for electronic proof of arbitrary data m, acryptographic scheme using an elliptic curve such as Elliptic Curve DSAcan be employed if the elements of the cyclic group G₁ generated by thegenerator g₁ are points on an elliptic curve and a known predeterminedrelationship between the elements holds.

Here, in the explanation above, it is assumed that the first secret keya and the first public key a·g₁ are determined and stored in advance,but the first secret key a may be determined in advance and the firstpublic key a·g₁ can be calculated if necessary. In the descriptionabove, an integer x is determined after the first secret key a and thefirst public key a·g₁ are determined, but the first secret key a and, ifnecessary, the first public key a·g₁ may be determined after the integerx is determined. Also, instead of determining the first secret key adirectly, the integer x and the second secret key ax may be determinedand stored as random or pseudo-random numbers, respectively, and thefirst secret key a may be calculated from these values. In other words,the generation of the second key pair includes various aspects ofgeneration in association with the first key pair. The value of x mayalso be calculated from the value of a and the value of ax, ifnecessary.

The first secret key a is data never disclosed externally in principle,although it may be stored in an external storage medium or storagedevice for backup. Also, x is not data to be disclosed externally inprinciple.

One feature of the generation of the second key pair according to thisembodiment is that the second secret key ax is an element of the set ofintegers as well as the first secret key a, and the second public keyax·g is an element of the cyclic group G1 generated by the generator gas well as the first public key a·g, so that the second key pair is ofthe same format as the first key pair, allowing repeatedly generating achild key pair, such as the third key pair from the second key pair andthe fourth key pair from the third key pair.

It is to be noted that if the term “only” is not written, such as in“based only on x”, “in response to x only”, or “in the case of x only”,in the present specification, it is assumed that additional informationmay also be taken into account. Also, as an example, it is to be notedthat a description “b is performed in the case of a” does notnecessarily mean “b is always performed in the case of a” except whereexpressly stated.

In addition, as a caveat, even if there are aspects of a method,program, terminal, apparatus, server or system (hereinafter referred toas “method, etc.”) that perform operations different from thosedescribed herein, each aspect of the invention is intended to performthe same operation as one of the operations described herein, and theexistence of an operation different from those described herein does notmean that the method, etc. is outside the scope of each aspect of theinvention.

Second Embodiment

FIG. 2 shows a system for proving the reliability of a second public keywhich is part of a second key pair generated from a first key pair,according to the second embodiment of the present invention.

The system 200 comprises a transmitting apparatus 210 that generates asecond key pair from the first key pair to transmit a second public keythat is part of the second key pair, a receiving apparatus 220 thatreceives the second public key, and a certifying apparatus 230 thatproves the reliability of the second public key. The transmittingapparatus 210, the receiving apparatus 220 and the proving apparatus 230can communicate with each other via a computer network.

The proving apparatus 230 is a computer comprising a communication unit231, such as a communication interface, a processing unit 232, such as aprocessor, CPU, etc., and a storage unit 233 including a storage deviceor medium, such as a memory, hard disk, etc., and can realize each ofthe processes described below by executing a prescribed program. Theproving apparatus 230 may include one or more apparatuses or servers.The program may include one or more programs, and may be stored on acomputer-readable storage medium to form a non-transitory programproduct. With respect to the transmitting and receiving apparatuses 210and 220, although not shown in the figure, they may have similarhardware configurations.

In the transmitting apparatus 210, the second public key ax·g₁, which ispart of the second key pair generated by the method described in thefirst embodiment, cannot play a role in identifying its owner if itsreliability cannot be verified at the receiving apparatus 220 thatreceives it. Therefore, in this embodiment, the receiving apparatus 220makes a request for a proof of the reliability of the second public keyax·g₁ to the proving apparatus 230.

Specifically, the proving apparatus 230 receives x·H(n) and ax·H(n) asproof data in addition to the second public key ax·g₁, either indirectlyvia the receiving apparatus 220 or directly from the transmittingapparatus 210. The proving apparatus 230 can prove that the secondpublic key ax·g₁ was generated by the owner of the first public keya·g₁, based on the fact that the calculation result of the followingverification formula shows that the three sides match, using thegenerator g₁ and the first public key a·g₁ known and accessible in someway. Here, n is ax·g₁ and H(n) is a map to G₂, which can be the same ordifferent from H′(m) used for the digital signature described above.

e(ax·g ₁ ,H(n))=e(a·g ₁ ,x·H(n))=e(g ₁ ,ax·H(n))

Since x·H(n) cannot be calculated without knowing the integer x, and inaddition, ax·H(n) cannot be calculated without knowing the integer a,the fact that three sides match proves that the provider of x·H(n) andax·H(n) is the owner of the first public key a·g₁ who generated thesecond public key ax·g₁, without knowing a and x or a and ax.

In the description above, we have considered the case where there is asingle parent key pair that generates a child key pair, but when therecan be multiple parent key pairs, it is necessary to specify withrespect to which parent public key of a parent key pair the proof ofbeing a child public key is needed.

The proving apparatus 230 may be the same as the receiving apparatus220, in which case it can prove the reliability of the second public keyax·g₁ by itself. The proving apparatus 230 may also be the same as thetransmitting apparatus 210, in which case the generator of the secondpublic key ax·g₁ will prove its reliability by itself.

FIG. 3 shows the flow of a method of proving the reliability of a secondpublic key, in the example of a proving apparatus receiving proof datafrom a generating apparatus. In the description above, we used the termtransmitting apparatus, but we will use the more generalized termgenerating apparatus in FIG. 3.

The generating apparatus 210 calculates and stores the proof data,x·H(n) and ax·H(n), at or around the time it generates the second publickey ax·g₁ which is part of the second key pair (S301). The generatingapparatus 210 provides the calculated proof data to the receivingapparatus 220 (S302). As the manners of providing data to the receivingapparatus 220, various aspects can be raised including transmission tothe receiving apparatus 220 via a computer network, connection of astorage medium storing the proof data to the receiving apparatus 220,input of the proof data displayed on the display screen of thegenerating apparatus 210 to the receiving apparatus 220, and read out,by an image sensor of the receiving apparatus 220, of proof datadisplayed on a display screen on the generating apparatus 210 orcorresponding data. Various aspects of providing a first public key a·g₁and a second public key ax·g₁ from the generating apparatus 210 to thereceiving apparatus 220 or other apparatus can be raised similarly.

While the proof data can include H(n), H(n) may be calculated asnecessary at the proving apparatus 230 or at the generating apparatus210 or the receiving apparatus 220 that provides the proof data to theproving apparatus 230.

Upon receiving the proof data, the receiving apparatus 220 transmits aproof request to the proving apparatus 230 asking for a proof that thesecond public key ax·g₁ was generated by the owner of the first publickey a·g₁, in other words, that the second public key ax·g₁ is in aparent-child relationship with the first public key a·g₁ (S303).

The proof request includes proof data in this example, but need not beincluded in the example where the proof data is provided directly fromthe generating apparatus 210 to the proving apparatus 230. As notedabove, in the case where the generating apparatus 210 also serves as theproving apparatus 230, “provide” includes providing it to itself. Inaddition, a “proof request” includes a request to itself in the casewhere the receiving apparatus 220 also serves as the proving device 230.

The proof request can include a second public key ax·g₁, which is achild key in the parent-child relationship that is to be proved, and afirst public key a·g₁, which is a parent key in said parent-childrelationship. At least one of the parent and child keys can be provideddirectly or indirectly by the generating apparatus 210 to the provingapparatus 230 and stored in advance in the proving apparatus 230,eliminating the need for explicit specification in the proof request.

The proving apparatus 230 validates the proof data by calculating averification formula for the proof data in response to a proof request(S304).

The proving apparatus 230 then transmits the verification result as aresponse to the proof request from the receiving apparatus 220 (S305).When the receiving apparatus 220 also serves as the proving apparatus230, it stores the verification result in its own storage apparatus orstorage medium, but such a process may be included in the concept of“transmission” to itself.

In the above description, the first public key a·g₁ and the secondpublic key ax·g₁ have been described as “public keys”, but they can alsobe described as “identifiers” of entities that perform some activity onthe Internet. Specifically, the spirit of the present invention can beunderstood as an apparatus, method, and program for evaluating areliability of a second identifier generated based on or in associationwith a first identifier.

Third Embodiment

The transmitting apparatus 210 can also provide the receiving apparatus220 a second secret key ax in addition to the second public key ax·g₁,while keeping the first secret key a secret. The second secret key axcan be provided in various ways similar to other data. In this case, thereceiving apparatus 220 can use the second key pair to perform anelectronic signature on the data m. Then, if it receives the proof dataincluding x·H(n) and ax·H(n) from the transmitting apparatus 210, itcan, if necessary, pass ax·g₁, x·H(n), and ax·H(n) to the recipient ofthe digital signature along with the data m and the signature s thereto.The recipient will be able to show that the digital signature is by thesecond key pair generated by the owner of the first public key a·g₁.

The receiving apparatus 220 is functioning here as a signing apparatusand transmits to the other apparatus, as part of the signed data inwhich signature s is added to data m, or as separate data from thesigned data, the proof data, and if necessary at least one of the firstpublic key a·g₁ and the second public key ax·g₁.

The receiving apparatus 220 can generate a third key pair comprising athird secret key axy and a third public key axy·g₁ as a further childkey pair of the second key pair, if the second secret key ax isprovided. Here, the integer y can be defined as a random orpseudo-random number and is preferably other than 1.

Fourth Embodiment

In the above embodiment, a single parameter n has been considered as theargument for the map H(n) to G₂, but it may be H(n₁, n₂, . . . n_(N))with N arguments (N is an integer greater than or equal to 1).

For example, when N=2, n₁ can be the second public key ax·g₁ and n₂ canbe any string str. As examples of the string str, the expiration date ofthe second key pair, the ID, such as an email address, of the recipientof the second public key, etc. can be raised. More generally, n₂ can beany data representing an attribute given to the second key pair.

The generating apparatus 210 may also receive a request for a generationof the second key pair from the receiving apparatus 220 or otherapparatus prior to the generation of the second key pair and then beginthe generation, and it may take some data included in the generationrequest as the value of the argument n₂.

REFERENCE SIGNS LIST

-   200 System-   210 Transmitting apparatus-   220 Receiving apparatus-   230 Proving apparatus-   231 Communication unit-   232 Processing unit-   233 Storage unit

1. A method for proving a reliability of a second public key which ispart of a second key pair generated in association with a first key paircomprising a first secret key and a first public key, wherein the firstsecret key is a, a generator of a cyclic group G₁ is g₁, the firstpublic key is a·g₁, the second secret key is ax, the second public keyis ax·g₁, and H(n₁, n₂, . . . n_(N)) (N is an integer greater than orequal to 1) is a hash function, comprising steps of: receiving a proofrequest for a proof of a reliability of the second public key ax·g₁,calculating a verification formula expressed in equation (1) to verifyproof data including x·H(n₁, n₂, . . . n_(N)) and ax·H(n₁, n₂, . . .n_(N)) in response to the proof request, and transmitting a result ofthe verification as a response to the proof request,e(ax·g ₁ ,H)=e(a·g ₁ ,x·H)=e(g ₁ ,ax·H)  (1) wherein G₂ is a cyclicgroup with g₂ as a generator, G_(T) is a cyclic group with g_(T) as agenerator, and a bilinear map e can be defined from G₁×G₂ to G_(T), andwherein a hash function H(n₁, n₂, . . . n_(N)) can be defined as a mapfrom an arbitrary combination of first to Nth data to the cyclic groupG₂ in which n₁ is ax·g₁.
 2. The method according to claim 1, wherein Nis greater than or equal to 2 and n₂ is data representing an attributegiven to the second key pair.
 3. The method according to claim 1,wherein the proof request includes the second public key ax·g₁.
 4. Themethod according to claim 1, wherein the proof request includes theproof data.
 5. A program for causing a computer to perform a method forproving a reliability of a second public key which is part of a secondkey pair generated in association with a first key pair comprising afirst secret key and a first public key, wherein the first secret key isa, a generator of a cyclic group G₁ is g₁, the first public key is a·g₁,the second secret key is ax, the second public key is ax·g₁, and H(n₁,n₂, . . . n_(N)) (N is an integer greater than or equal to 1) is a hashfunction, the method comprising steps of: receiving a proof request fora proof of a reliability of the second public key ax·g₁, calculating averification formula expressed in equation (1) to verify proof dataincluding x·H(n₁, n₂, . . . n_(N)) and ax·H(n₁, n₂, . . . n_(N)) inresponse to the proof request, and transmitting a result of theverification as a response to the proof request,e(ax·g ₁ ,H)=e(a·g ₁ ,x·H)=e(g ₁ ,ax·H)  (1) wherein G₂ is a cyclicgroup with g₂ as a generator, G_(T) is a cyclic group with g_(T) as agenerator, and a bilinear map e can be defined from G₁×G₂ to G_(T), andwherein a hash function H(n₁, n₂, . . . n_(N)) can be defined as a mapfrom an arbitrary combination of first to Nth data to the cyclic groupG₂ in which n₁ is ax·g₁.
 6. An apparatus for proving a reliability of asecond public key which is part of a second key pair generated inassociation with a first key pair comprising a first secret key and afirst public key, wherein the first secret key is a, a generator of acyclic group G₁ is g₁, the first public key is a·g₁, the second secretkey is ax, the second public key is ax·g₁, and H(n₁, n₂, . . . n_(N)) (Nis an integer greater than or equal to 1) is a hash function, configuredto: receive a proof request for a proof of a reliability of the secondpublic key ax·g₁, calculate a verification formula expressed in equation(1) to verify proof data including x·H(n₁, n₂, . . . n_(N)) and ax·H(n₁,n₂, . . . n_(N)) in response to the proof request, and send a result ofthe verification as a response to the proof request,e(ax·g ₁ ,H)=e(a·g ₁ ,x·H)=e(g ₁ ,ax·H)  (1) wherein G₂ is a cyclicgroup with g₂ as a generator, G_(T) is a cyclic group with g_(T) as agenerator, and a bilinear map e can be defined from G₁×G₂ to G_(T), andwherein a hash function H(n₁, n₂, . . . n_(N)) can be defined as a mapfrom an arbitrary combination of first to Nth data to the cyclic groupG₂ in which n₁ is ax·g₁.
 7. A method for proving a reliability of asecond identifier generated in association with a first identifier,wherein a first constant is a, a generator of a cyclic group G₁ is g₁, afirst identifier is a·g₁, a second constant is ax, a second identifieris ax·g₁, and H(n₁, n₂, . . . n_(N)) (N is an integer greater than orequal to 1) is a hash function, comprising steps of: receiving a proofrequest for a proof of a reliability of the second identifier ax·g₁,calculating a verification formula expressed in formula (1) to verifyproof data including x·H(n₁, n₂, . . . n_(N)) and ax·H(n₁, n₂, . . .n_(N)) in response to said proof request, and transmitting a result ofthe verification as a response to the proof request,e(ax·g ₁ ,H)=e(a·g ₁ ,x·H)=e(g ₁ ,ax·H)  (1) wherein G₂ is a cyclicgroup with g₂ as a generator, G_(T) is a cyclic group with g_(T) as agenerator, and a bilinear map e can be defined from G₁×G₂ to G_(T), andwherein a hash function H(n₁, n₂, . . . n_(N)) can be defined as a mapfrom an arbitrary combination of first to Nth data to the cyclic groupG₂ in which n₁ is ax·g₁.